- From: David Chadwick <d.w.chadwick@kent.ac.uk>
- Date: Tue, 09 Oct 2012 15:10:23 +0100
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- CC: Melvin Carvalho <melvincarvalho@gmail.com>, Ron Garret <ron@flownet.com>, Anders Rundgren <anders.rundgren@telia.com>, Henry Story <henry.story@bblfish.net>, public-identity@w3.org
Thanks Stephen. Lets hope one of these makes RFC soon David On 08/10/2012 12:38, Stephen Farrell wrote: > > Hi David, > > FWIW, a few of us have proposed a similar approach covering HTTP > authentication and JavaScript. [1] Others had also earlier gone > down the TLS route. [2] > > I think there's definitely merit in investigating such approaches, > mainly because they don't need passwords, but also partly due to > the very thing to which you're objecting - any handling of user > names or identifiers can be part of the application and not a part > of some security infrastructure. (Maybe I've just developed too > many of those over the years:-) > > Cheers, > S. > > [1] http://tools.ietf.org/html/draft-farrell-httpbis-hoba > [2] http://tools.ietf.org/html/draft-balfanz-tls-obc > > On 10/08/2012 12:25 PM, David Chadwick wrote: >> Hi Ron >> >> I have tested your system and demo and it works fine, as you say. >> >> I guess my question to you is, Why would a web site bother in trusting >> the dswi.net server since it does not perform any authentication on the >> user? The value add is surely quite small (zero trust, adding a third >> party to the client server comms, but making the comms a bit easier). >> >> What is to stop the web site from running Java script in the browser in >> a similar way to that used by dswi, that causes the browser to create a >> key pair for the user (if it does not already exist), and then use this >> each time to validate the user by using TLS client side authn? In this >> way the web site does not need to trust dswi.net., there is no third >> party involved, and the client cert proves its the same user each time. >> >> regards >> >> David >> >>> >>> As long as Forge has entered the conversation I would also like to >>> point to my own identity project: >>> >>> http://dswi.net/ >>> >>> DSSID uses Forge for its crypto, but it uses a different protocol >>> specifically designed to be simple for clients to integrate with. >>> Note: this code is not ready for production use. Feedback and >>> comments are welcome. >>> >>> >>> Wow, looks really nice. >>> >>> If im not mistaken, it's quite similar to a web version of SSH? >>> >>> Does this sole harry's unlinkability problem too? >>> >>> >>> rg >>> >>> >> >> >> >
Received on Tuesday, 9 October 2012 14:10:58 UTC